

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>CVE-2021-20288: Unauthorized global_id reuse in cephx &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/underscore.js"></script>
        <script src="../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="Vulnerability Management Process" href="../process/" />
    <link rel="prev" title="CVE-2021-3509: Dashboard XSS via token cookie" href="../CVE-2021-3509/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../">Security</a> &raquo;</li>
        
          <li><a href="../cves/">Past vulnerabilities</a> &raquo;</li>
        
      <li>CVE-2021-20288: Unauthorized global_id reuse in cephx</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../_sources/security/CVE-2021-20288.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../">
          

          
            
            <img src="../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Security</a><ul class="current">
<li class="toctree-l2 current"><a class="reference internal" href="../cves/">Past Vulnerabilities / CVEs</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../CVE-2021-3531/"> CVE-2021-3531</a></li>
<li class="toctree-l3"><a class="reference internal" href="../CVE-2021-3524/"> CVE-2021-3524</a></li>
<li class="toctree-l3"><a class="reference internal" href="../CVE-2021-3509/"> CVE-2021-3509</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#"> CVE-2021-20288</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#summary">Summary</a></li>
<li class="toctree-l4"><a class="reference internal" href="#background">Background</a></li>
<li class="toctree-l4"><a class="reference internal" href="#attacker-requirements">Attacker Requirements</a></li>
<li class="toctree-l4"><a class="reference internal" href="#impact">Impact</a></li>
<li class="toctree-l4"><a class="reference internal" href="#affected-versions">Affected versions</a></li>
<li class="toctree-l4"><a class="reference internal" href="#fixed-versions">Fixed versions</a></li>
<li class="toctree-l4"><a class="reference internal" href="#fix-details">Fix details</a></li>
<li class="toctree-l4"><a class="reference internal" href="#recommendations">Recommendations</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../process/">Vulnerability Management Process</a></li>
<li class="toctree-l2"><a class="reference internal" href="../#reporting-a-vulnerability">Reporting a vulnerability</a></li>
<li class="toctree-l2"><a class="reference internal" href="../#supported-versions">Supported versions</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="cve-2021-20288-unauthorized-global-id-reuse-in-cephx">
<span id="cve-2021-20288"></span><h1>CVE-2021-20288: Unauthorized global_id reuse in cephx<a class="headerlink" href="#cve-2021-20288-unauthorized-global-id-reuse-in-cephx" title="Permalink to this headline">¶</a></h1>
<ul class="simple">
<li><p><a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2021-20288">NIST information page</a></p></li>
</ul>
<div class="section" id="summary">
<h2>Summary<a class="headerlink" href="#summary" title="Permalink to this headline">¶</a></h2>
<p>Ceph was not ensuring that reconnecting/renewing clients were
presenting an existing ticket when reclaiming their global_id value.
An attacker that was able to authenticate could claim a global_id in
use by a different client and potentially disrupt
other cluster services.</p>
</div>
<div class="section" id="background">
<h2>Background<a class="headerlink" href="#background" title="Permalink to this headline">¶</a></h2>
<p>Each authenticated client or daemon in Ceph is assigned a numeric
global_id identifier. That value is assumed to be unique across the
cluster.  When clients reconnect to the monitor (e.g., due to a
network disconnection) or renew their ticket, they are supposed to
present their old ticket to prove prior possession of their global_id
so that it can be reclaimed and thus remain constant over the lifetime
of that client instance.</p>
<p>Ceph was not correctly checking that the old ticket was valid, allowing
an arbitrary global_id to be reclaimed, even if it was in use by another
active client in the system.</p>
</div>
<div class="section" id="attacker-requirements">
<h2>Attacker Requirements<a class="headerlink" href="#attacker-requirements" title="Permalink to this headline">¶</a></h2>
<p>Any potential attacker must:</p>
<ul class="simple">
<li><p>have a valid authentication key for the cluster</p></li>
<li><p>know or guess the global_id of another client</p></li>
<li><p>run a modified version of the Ceph client code to reclaim another client’s global_id</p></li>
<li><p>construct appropriate client messages or requests to disrupt service or exploit
Ceph daemon assumptions about global_id uniqueness</p></li>
</ul>
</div>
<div class="section" id="impact">
<h2>Impact<a class="headerlink" href="#impact" title="Permalink to this headline">¶</a></h2>
<div class="section" id="confidentiality-impact">
<h3>Confidentiality Impact<a class="headerlink" href="#confidentiality-impact" title="Permalink to this headline">¶</a></h3>
<p>None</p>
</div>
<div class="section" id="integrity-impact">
<h3>Integrity Impact<a class="headerlink" href="#integrity-impact" title="Permalink to this headline">¶</a></h3>
<p>Partial.  An attacker could potentially exploit assumptions around
global_id uniqueness to disrupt other clients’ access or disrupt
Ceph daemons.</p>
</div>
<div class="section" id="availability-impact">
<h3>Availability Impact<a class="headerlink" href="#availability-impact" title="Permalink to this headline">¶</a></h3>
<p>High.  An attacker could potentially exploit assumptions around
global_id uniqueness to disrupt other clients’ access or disrupt
Ceph daemons.</p>
</div>
<div class="section" id="access-complexity">
<h3>Access Complexity<a class="headerlink" href="#access-complexity" title="Permalink to this headline">¶</a></h3>
<p>High.  The client must make use of modified client code in order to
exploit specific assumptions in the behavior of other Ceph daemons.</p>
</div>
<div class="section" id="authentication">
<h3>Authentication<a class="headerlink" href="#authentication" title="Permalink to this headline">¶</a></h3>
<p>Yes.  The attacker must also be authenticated and have access to the
same services as a client it is wishing to impersonate or disrupt.</p>
</div>
<div class="section" id="gained-access">
<h3>Gained Access<a class="headerlink" href="#gained-access" title="Permalink to this headline">¶</a></h3>
<p>Partial.  An attacker can partially impersonate another client.</p>
</div>
</div>
<div class="section" id="affected-versions">
<h2>Affected versions<a class="headerlink" href="#affected-versions" title="Permalink to this headline">¶</a></h2>
<p>All prior versions of Ceph monitors fail to ensure that global_id reclaim
attempts are authentic.</p>
<p>In addition, all user-space daemons and clients starting from Luminous v12.2.0
were failing to securely reclaim their global_id following commit a2eb6ae3fb57
(“mon/monclient: hunt for multiple monitor in parallel”).</p>
<p>All versions of the Linux kernel client properly authenticate.</p>
</div>
<div class="section" id="fixed-versions">
<h2>Fixed versions<a class="headerlink" href="#fixed-versions" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><p>Pacific v16.2.1 (and later)</p></li>
<li><p>Octopus v15.2.11 (and later)</p></li>
<li><p>Nautilus v14.2.20 (and later)</p></li>
</ul>
</div>
<div class="section" id="fix-details">
<h2>Fix details<a class="headerlink" href="#fix-details" title="Permalink to this headline">¶</a></h2>
<ol class="arabic">
<li><p>Patched monitors now properly require that clients securely reclaim
their global_id when the <code class="docutils literal notranslate"><span class="pre">auth_allow_insecure_global_id_reclaim</span></code>
is <code class="docutils literal notranslate"><span class="pre">false</span></code>.  Initially, by default, this option is set to
<code class="docutils literal notranslate"><span class="pre">true</span></code> so that existing clients can continue to function without
disruption until all clients have been upgraded.  When this option
is set to false, then an unpatched client will not be able to reconnect
to the cluster after an intermittent network disruption breaking
its connect to a monitor, or be able to renew its authentication
ticket when it times out (by default, after 72 hours).</p>
<p>Patched monitors raise the <code class="docutils literal notranslate"><span class="pre">AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED</span></code>
health alert if <code class="docutils literal notranslate"><span class="pre">auth_allow_insecure_global_id_reclaim</span></code> is enabled.
This health alert can be muted with:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">health</span> <span class="n">mute</span> <span class="n">AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED</span> <span class="mi">1</span><span class="n">w</span>
</pre></div>
</div>
<p>Although it is not recommended, the alert can also be disabled with:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">config</span> <span class="nb">set</span> <span class="n">mon</span> <span class="n">mon_warn_on_insecure_global_id_reclaim_allowed</span> <span class="n">false</span>
</pre></div>
</div>
</li>
<li><p>Patched monitors can disconnect new clients right after they have
authenticated (forcing them to reconnect and reclaim) in order to
determine whether they securely reclaim global_ids.  This allows
the cluster and users to discover quickly whether clients would be
affected by requiring secure global_id reclaim: most clients will
report an authentication error immediately.  This behavior can be
disabled by setting <code class="docutils literal notranslate"><span class="pre">auth_expose_insecure_global_id_reclaim</span></code> to
<code class="docutils literal notranslate"><span class="pre">false</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">config</span> <span class="nb">set</span> <span class="n">mon</span> <span class="n">auth_expose_insecure_global_id_reclaim</span> <span class="n">false</span>
</pre></div>
</div>
</li>
<li><p>Patched monitors will raise the <code class="docutils literal notranslate"><span class="pre">AUTH_INSECURE_GLOBAL_ID_RECLAIM</span></code> health
alert for any clients or daemons that are not securely reclaiming their
global_id.  These clients should be upgraded before disabling the
<code class="docutils literal notranslate"><span class="pre">auth_allow_insecure_global_id_reclaim</span></code> option to avoid disrupting
client access.</p>
<p>By default (if <code class="docutils literal notranslate"><span class="pre">auth_expose_insecure_global_id_reclaim</span></code> has not
been disabled), clients’ failure to securely reclaim global_id will
immediately be exposed and raise this health alert.
However, if <code class="docutils literal notranslate"><span class="pre">auth_expose_insecure_global_id_reclaim</span></code> has been
disabled, this alert will not be triggered for a client until it is
forced to reconnect to a monitor (e.g., due to a network disruption)
or the client renews its authentication ticket (by default, after
72 hours).</p>
</li>
<li><p>The default time-to-live (TTL) for authentication tickets has been increased
from 12 hours to 72 hours.  Because we previously were not ensuring that
a client’s prior ticket was valid when reclaiming their global_id, a client
could tolerate a network outage that lasted longer than the ticket TTL and still
reclaim its global_id.  Once the cluster starts requiring secure global_id reclaim,
a client that is disconnected for longer than the TTL may fail to reclaim its global_id,
fail to reauthenticate, and be unable to continue communicating with the cluster
until it is restarted.  The default TTL was increased to minimize the impact of this
change on users.</p></li>
</ol>
</div>
<div class="section" id="recommendations">
<h2>Recommendations<a class="headerlink" href="#recommendations" title="Permalink to this headline">¶</a></h2>
<ol class="arabic">
<li><p>Users should upgrade to a patched version of Ceph at their earliest
convenience.</p></li>
<li><p>Users should upgrade any unpatched clients at their earliest
convenience.  By default, these clients can be easily identified by
checking the <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">health</span> <span class="pre">detail</span></code> output for the
<code class="docutils literal notranslate"><span class="pre">AUTH_INSECURE_GLOBAL_ID_RECLAIM</span></code> alert.</p></li>
<li><p>If all clients cannot be upgraded immediately, the health alerts can be
temporarily muted with:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">health</span> <span class="n">mute</span> <span class="n">AUTH_INSECURE_GLOBAL_ID_RECLAIM</span> <span class="mi">1</span><span class="n">w</span>  <span class="c1"># 1 week</span>
<span class="n">ceph</span> <span class="n">health</span> <span class="n">mute</span> <span class="n">AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED</span> <span class="mi">1</span><span class="n">w</span>  <span class="c1"># 1 week</span>
</pre></div>
</div>
</li>
<li><p>After all clients have been updated and the <code class="docutils literal notranslate"><span class="pre">AUTH_INSECURE_GLOBAL_ID_RECLAIM</span></code>
alert is no longer present, the cluster should be set to prevent insecure
global_id reclaim with:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">config</span> <span class="nb">set</span> <span class="n">mon</span> <span class="n">auth_allow_insecure_global_id_reclaim</span> <span class="n">false</span>
</pre></div>
</div>
</li>
</ol>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../process/" class="btn btn-neutral float-right" title="Vulnerability Management Process" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../CVE-2021-3509/" class="btn btn-neutral float-left" title="CVE-2021-3509: Dashboard XSS via token cookie" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>